1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
The following example IAM policy statement allows the principal to enable and disable KMS keys but only when all aliases of the KMS keys include "Test." This policy statement uses two conditions. The condition with the ForAllValues set operator requires that all aliases associated with the KMS key include "Test". The condition with the ForAnyValue set operator requires that the KMS key have at least one alias with "Test." Without the ForAnyValue condition, this policy statement would have allowed the principal to use KMS keys that had no aliases.
{
"Sid": "AliasBasedIAMPolicy",
"Effect": "Allow",
"Action": [
"kms:EnableKey",
"kms:DisableKey"
],
"Resource": "arn:aws:kms:*:111122223333:key/*",
"Condition": {
"ForAllValues:StringLike": {
"kms:ResourceAliases": [
"alias/*Test*"
]
},
"ForAnyValue:StringLike": {
"kms:ResourceAliases": [
"alias/*Test*"
]
}
}
}
répondu il y a 2 ans
Contenus pertinents
- demandé il y a 2 ans
- Réponse acceptéedemandé il y a 2 ans
- demandé il y a 2 jours
- AWS OFFICIELA mis à jour il y a un mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an